- Move db/schema.sql to supabase/migrations/ as the first supabase CLI
migration (manual `db push` only, no automated runner); re-add the
gebos_ingest role + grants there since init.sql never re-runs
- Add gebos-postgres-passwords oneshot on db-host: syncs role passwords
from sops (LoadCredential, journal-safe), makes supabase_admin
SUPERUSER and hands the auth schema to supabase_auth_admin to match
the upstream supabase/postgres image; add pg_hba rule for 10.0.0.0/8
- Vendor the official docker-compose (studio/kong/auth/rest/meta only,
external Postgres, loopback Studio with no Kong dashboard route) plus
kong.yml (trimmed) and kong-entrypoint.sh (verbatim); tested: compose
config, Kong config parse, migration applied on TimescaleDB pg17
- Document decisions as ADRs 0001-0004 (migrations, passwords, vendored
stack, JWT API keys incl. verify/mint procedure)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- sops-nix flake input, age + ssh-to-age in devShell, .sops.yaml with
per-host recipients (real pubkeys still TODO until lars bootstraps).
- nix/modules/gebos-secrets.nix centralises per-host secret subsets and
renders /run/secrets/gebos-env via sops.templates. Service modules now
read EnvironmentFile= from services.gebos.secrets.envFile instead of
the placeholder /etc/gebos/secrets.env.
- Falls back to a writeText env file when nix/secrets/secrets.yaml is
absent, so `nix flake check` and first-boot eval work pre-bootstrap.
- nix/secrets/README.md walks through age key + sops bootstrap.
- Dev defaults: ingester binary falls back to local tcp/postgres URLs,
process-compose adds mosquitto and wires GEBOS_MQTT_BROKER /
GEBOS_POSTGRES_URL / GEBOS_POSTGRES_PASSWORD + VITE_SUPABASE_URL /
VITE_SUPABASE_ANON_KEY, frontend defaults to 127.0.0.1:8000 in DEV.
Refs #23 (comment #110).